Re: NIMDA Virus

From: Brian Hescock (bhescock@xxxxxxxxx)
Date: Fri Nov 02 2001 - 12:13:56 GMT-3

• Next message: Dennis Laganiere: "RE: redistribution consolidation - Now what?"
• Previous message: Jason Graun: "RE: NDA"
• Maybe in reply to: Tyler Barrus: "NIMDA Virus"
• Next in thread: Palacios, Gonzalo: "RE: NIMDA Virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
There will be several possible symptoms and you might not see all of
them:

- memory allocation failures (out of memory)
- high cpu
- if running nat, run "show ip nat stat" and you may see an
extraordinary number of translations
- "show ip cache" and look at the number of ip cache entries. If you're
getting memory allocation errors, do "clear ip cache" and you'll see the
amount of free memory skyrocket then start going down again.

Solutions:

- To see if you're infected, configure CEF and configure NBAR, which
will not only block or rate-limit the traffic but will show you how many
matches you have
- or run "show buffers input-interface x" and look for one or more hosts
continually sending to port 80 then filter those addresses.
- if you can't run cef, due to ios code version, create an access-list
blocking all traffic to port 80 (www) and apply it to all interfaces.
Then do "clear ip cache" and see if your memory is stable. If it is,
odds are you have someone infected.
- you could also put a sniffer on the network and look at your top
talkers for web traffic, odds are they're the culprit and filter them.
- you could also use netflow to find the infected host due.
- if no sniffer and nothing above worked, use a binary search with an
access-list to identify the offender. Example:

let's say your networks are on 172.16.x.x. You could block all of that
network with destinatio to port 80 and see if everything is stable. If
it is then the infection is one of your hosts. Then break the address
space in half and see if 172.16.0.0 through 172.16.126.255 and see if
it's still stable when you apply the access-list. If no, then the
infected server is within that segement and break that in half:
172.16.128.0 - 172.16.255.255, and so one until you get it down to a
specific subnet / host.

I've had to do this for customers a few times, just yesterday also and
the only obtion we had was the binary search method and we isolated it
down to an IIS server in Seoul Korea and it was coming in one of his
serial links and was trashing his memory.

Brian

andrew.2.shore@bt.com wrote:

> Check to see if its running Microsoft IIS !!!
>
> Or SHOW Viruses Detail
>
> Andrew Shore. CCNP+Security, MCSE, CCP, BSc
> Network Consultant
> Internetworking Solutions Limited
>
> -----Original Message-----
> From: Tyler Barrus [mailto:tbarrus@cisco.com]
> Sent: 02 November 2001 13:54
> To: ccielab
> Subject: NIMDA Virus
>
> How can you tell if your router has the NIMDA virus?
>
> Tyler

• Next message: Dennis Laganiere: "RE: redistribution consolidation - Now what?"
• Previous message: Jason Graun: "RE: NDA"
• Maybe in reply to: Tyler Barrus: "NIMDA Virus"
• Next in thread: Palacios, Gonzalo: "RE: NIMDA Virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:02 GMT-3